• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Finance and Accounting / A twist on risk appetite

By Norman D. Marks, CPA, CRMA | 2 Minutes Read September 21, 2022

A twist on risk appetite

risk appetite

The standard definition of risk appetite is “the amount of risk you are willing to take in the pursuit of objectives”.

That is not a clear explanation that is in plain business language and makes obvious business sense to everybody from the board room to the people in the trenches.

The primary problem is the idea that there is an “amount of risk”.

Ask a safety practitioner what is the amount of risk that should be taken that somebody might be killed or suffer a serious injury.

How do you calculate an “amount of risk” that spans not only the entire enterprise, but different sources of risk such as compliance, safety, customer relations, reputation, competitor, economic, cash flow, third and fourth-party, cyber, human capital, and so on?

How does a risk appetite statement enable people across the extended organization, at various levels, make the informed and intelligent decisions necessary to achieve objectives?

I think there is a better way that should be at least considered.

The twist is to ask:

How much am I willing to spend to ensure that the possibility of such and such happening and affecting my objectives (a range of effects or consequences and their likelihoods) is within my desired range?

For example, how much am I willing to spend to ensure that the possibility of a significant compliance failure is low enough to be acceptable – a risk I am willing to take?

How much am I willing to spend so that there is a less than a 5% likelihood, say, of a cyber breach that would cause major disruption that I value at $10 million?

How much am I willing to spend on customer relations or safety measures to ensure… and so on.

This is what executives have been doing for ages. It is how they run the business.

But first they need to know:

  • What might happen (a range of possible consequences)?
  • What is the likelihood of each level of consequence?
  • How would this affect the achievement of objectives and the success of the organization?
  • Should I take that risk?
  • What are my options and how would further investment change the possibilities (level and/or likelihood of the range of consequences)?
  • What would that cost and is it worth it?
  • What are the options for that cash or other resource (opportunity cost)?
  • How would a reduction (!) in spending change the possibilities?

We don’t think enough about the last point.

We also don’t think enough about whether we are getting a solid, acceptable ROI when we invest in addressing a source of risk.

What do you think? Is this better than trying to explain to top management and the board what “risk appetite” is and whether the organization is exceeding it (usually after the fact)?

  • About
  • Latest Posts
Norman D. Marks, CPA, CRMA
Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
  • Twitter and risk - January 18, 2023
  • When the board insists on a list of the top risks - December 9, 2022
  • The greatest risk and the greatest asset - November 25, 2022

Article by Norman D. Marks, CPA, CRMA / Finance and Accounting / compliance, cyber breach, cyber risk, Internal Controls, reputational risk, return on investment, risk, risk appetite, safety risk Leave a Comment

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy